So you want to build a Security Program? Part 1 - Vulnerability Scanning
-
@IRJ said in So you want to build a Security Program? Part 1 - Vulnerability Scanning:
@Dashrender said in So you want to build a Security Program? Part 1 - Vulnerability Scanning:
@IRJ said in So you want to build a Security Program? Part 1 - Vulnerability Scanning:
@DustinB3403 said in So you want to build a Security Program? Part 1 - Vulnerability Scanning:
@IRJ As in, you shouldn't be scanning everything on the open internet.
The FBI, NSA and other 3 letter government agency's will come knocking down your door.
No they wont. It's like walking or driving up to a house and looking and casing it out for a robbery. You aren't doing anything illegal until you breach the house.
actually this is now illegal in some country - not this exactly, but I can't recall where, some country (Japan maybe) just passed a law where it's illegal to plan something illegal.
It's impossible to police
Of course it is - it's just like another gun law - just one more thing to through at people after they are caught.
Like Capone and taxes.. -
@Dashrender said in So you want to build a Security Program? Part 1 - Vulnerability Scanning:
@IRJ said in So you want to build a Security Program? Part 1 - Vulnerability Scanning:
@DustinB3403 said in So you want to build a Security Program? Part 1 - Vulnerability Scanning:
@IRJ As in, you shouldn't be scanning everything on the open internet.
The FBI, NSA and other 3 letter government agency's will come knocking down your door.
No they wont. It's like walking or driving up to a house and looking and casing it out for a robbery. You aren't doing anything illegal until you breach the house.
actually this is now illegal in some country - not this exactly, but I can't recall where, some country (Japan maybe) just passed a law where it's illegal to plan something illegal.
It's illegal most places, but impossible to prove.
-
I have installed using the hyperv image on my workstation. Have run a scan.
The scan results don't make any sense.
It is showing I am running about 10 different insecure versions of linux kernel, none of which I am running on the machine I scanned.
Above is a snippet of a pdf report of the scan showing me a list of kernels which are not on this server as far as I know.
uname -r
returns
-
Running
rpm -qa | grep kernel
showed 5 or 6 kernels still installed. whoops.
package-cleanup --oldkernels --count=2
removed all but the current and next oldest one. -
It's defiantly taking my cpu for a sprint.....
-
@momurda said in So you want to build a Security Program? Part 1 - Vulnerability Scanning:
Running
rpm -qa | grep kernel
showed 5 or 6 kernels still installed. whoops.
package-cleanup --oldkernels --count=2
removed all but the current and next oldest one.OpenVAS FTW.
-
As mentioned in the OP, OV is very resource inefficient. Nessus is a night and day difference, but isn't cheap.
-
@momurda said in So you want to build a Security Program? Part 1 - Vulnerability Scanning:
I have installed using the hyperv image on my workstation. Have run a scan.
The scan results don't make any sense.
It is showing I am running about 10 different insecure versions of linux kernel, none of which I am running on the machine I scanned.
Above is a snippet of a pdf report of the scan showing me a list of kernels which are not on this server as far as I know.
uname -r
returns
I've seen this before when credentials don't work and a vulnerability scanner has to guess the OS version. Are you sure the credentials worked on that first scan?
-
@IRJ said in So you want to build a Security Program? Part 1 - Vulnerability Scanning:
@momurda said in So you want to build a Security Program? Part 1 - Vulnerability Scanning:
I have installed using the hyperv image on my workstation. Have run a scan.
The scan results don't make any sense.
It is showing I am running about 10 different insecure versions of linux kernel, none of which I am running on the machine I scanned.
Above is a snippet of a pdf report of the scan showing me a list of kernels which are not on this server as far as I know.
uname -r
returns
I've seen this before when credentials don't work and a vulnerability scanner has to guess the OS version. Are you sure the credentials worked on that first scan?
Nvm reading comprehension helps.. Lol
-
Another thing to note is that Credentialed scans are much more polite compared to non Credentialed scans. Non Credentialed scans are much more taxing on the box since everything is guessed slamming the box.
-
@IRJ said in So you want to build a Security Program? Part 1 - Vulnerability Scanning:
Another thing to note is that Credentialed scans are much more polite compared to non Credentialed scans. Non Credentialed scans are much more taxing on the box since everything is guessed slamming the box.
A non-credentialed scan would be more akin to a hacker attacking and trying to get in, I would think.
Have you tried throwing more CPU cores at OpenVAS instead of / in addition to RAM?
I ran it on 4GB RAM / 4 CPU Cores for ~30 Servers and got reasonable performance out of it.
-
@dafyre said in So you want to build a Security Program? Part 1 - Vulnerability Scanning:
@IRJ said in So you want to build a Security Program? Part 1 - Vulnerability Scanning:
Another thing to note is that Credentialed scans are much more polite compared to non Credentialed scans. Non Credentialed scans are much more taxing on the box since everything is guessed slamming the box.
A non-credentialed scan would be more akin to a hacker attacking and trying to get in, I would think.
Have you tried throwing more CPU cores at OpenVAS instead of / in addition to RAM?
I ran it on 4GB RAM / 4 CPU Cores for ~30 Servers and got reasonable performance out of it.
How long did it take to complete on 30+ servers?
-
@dafyre said in So you want to build a Security Program? Part 1 - Vulnerability Scanning:
@IRJ said in So you want to build a Security Program? Part 1 - Vulnerability Scanning:
Another thing to note is that Credentialed scans are much more polite compared to non Credentialed scans. Non Credentialed scans are much more taxing on the box since everything is guessed slamming the box.
A non-credentialed scan would be more akin to a hacker attacking and trying to get in, I would think.
Have you tried throwing more CPU cores at OpenVAS instead of / in addition to RAM?
I ran it on 4GB RAM / 4 CPU Cores for ~30 Servers and got reasonable performance out of it.
Yes I have, but part of my bias is total time of scans compared to other solutions. I bet a Nessus scanner with 1GB of ram on 2 cores would finish in less than half the time. So I am comparing efficiency here.
-
@IRJ said in So you want to build a Security Program? Part 1 - Vulnerability Scanning:
@dafyre said in So you want to build a Security Program? Part 1 - Vulnerability Scanning:
@IRJ said in So you want to build a Security Program? Part 1 - Vulnerability Scanning:
Another thing to note is that Credentialed scans are much more polite compared to non Credentialed scans. Non Credentialed scans are much more taxing on the box since everything is guessed slamming the box.
A non-credentialed scan would be more akin to a hacker attacking and trying to get in, I would think.
Have you tried throwing more CPU cores at OpenVAS instead of / in addition to RAM?
I ran it on 4GB RAM / 4 CPU Cores for ~30 Servers and got reasonable performance out of it.
How long did it take to complete on 30+ servers?
I don't rightly remember an exact number, but I want to say an hour or three running the full, no-holds-barred scans. (I crashed a vulnerable server a time or two with it, ha ha!)
-
@dafyre said in So you want to build a Security Program? Part 1 - Vulnerability Scanning:
@IRJ said in So you want to build a Security Program? Part 1 - Vulnerability Scanning:
Another thing to note is that Credentialed scans are much more polite compared to non Credentialed scans. Non Credentialed scans are much more taxing on the box since everything is guessed slamming the box.
A non-credentialed scan would be more akin to a hacker attacking and trying to get in, I would think.
Yes, but in addition to the vulnerability scans you are going to see special scans depending on what they find. If I find a wordpress site, you better believe I am kicking off wpscan to look for weaknesses. If I know it is a DB server, I am going to try some SQL and oracle scans. You get the point.
So don't forget to run those type of scans with information you can gather from a non-credentialed scan.
-
@IRJ said in So you want to build a Security Program? Part 1 - Vulnerability Scanning:
@dafyre said in So you want to build a Security Program? Part 1 - Vulnerability Scanning:
@IRJ said in So you want to build a Security Program? Part 1 - Vulnerability Scanning:
Another thing to note is that Credentialed scans are much more polite compared to non Credentialed scans. Non Credentialed scans are much more taxing on the box since everything is guessed slamming the box.
A non-credentialed scan would be more akin to a hacker attacking and trying to get in, I would think.
Yes, but in addition to the vulnerability scans you are going to see special scans depending on what they find. If I find a wordpress site, you better believe I am kicking off wpscan to look for weaknesses. If I know it is a DB server, I am going to try some SQL and oracle scans. You get the point.
So don't forget to run those type of scans with information you can gather from a non-credentialed scan.
Does OpenVAS do this now? I don't recall that it did before (admittedly, it has been a while since I've used it.
-
For anyone that wants to test OpenVAS on something that is not remotely production and see OpenVAS light up like a christmas tree, OWASP has a very vulnerable VM you can download.
https://www.owasp.org/index.php/OWASP_Broken_Web_Applications_Project
-
@dafyre said in So you want to build a Security Program? Part 1 - Vulnerability Scanning:
@IRJ said in So you want to build a Security Program? Part 1 - Vulnerability Scanning:
@dafyre said in So you want to build a Security Program? Part 1 - Vulnerability Scanning:
@IRJ said in So you want to build a Security Program? Part 1 - Vulnerability Scanning:
Another thing to note is that Credentialed scans are much more polite compared to non Credentialed scans. Non Credentialed scans are much more taxing on the box since everything is guessed slamming the box.
A non-credentialed scan would be more akin to a hacker attacking and trying to get in, I would think.
Yes, but in addition to the vulnerability scans you are going to see special scans depending on what they find. If I find a wordpress site, you better believe I am kicking off wpscan to look for weaknesses. If I know it is a DB server, I am going to try some SQL and oracle scans. You get the point.
So don't forget to run those type of scans with information you can gather from a non-credentialed scan.
Does OpenVAS do this now? I don't recall that it did before (admittedly, it has been a while since I've used it.
No. Most of those tools are available in Kali, but I prefer to use Ubuntu and install what I need.
-
So I've been using OpenVAS for a while now, and the results are enlightening. One question though is how do I make sure my the NVT's are current?
I tried running
openvasmd --update && openvasmd --rebuild
from a shell and was told thatopenvasmd isn't recognized
-
So @IRJ I wasn't sure where else to put this. Do you give root access to your vulnerability scanners? Just a conversation I've been having with some people here.